Red Hat Bugzilla – Bug 5263
PAM configuration is inherently broken
Last modified: 2008-05-01 11:37:51 EDT
it appears that PAM is suffering from some fundamental
architecture problems with regards to authentication
beyound the normal UID/GID credentials. namely, some
institutions rely on services such as kerberos whose
authentication methods are not easily performed using the
this is truly a shame because you are now requiring people
to roll their own methods for authentication instead of
being able to use a PAM module.
And your suggested alternative is?
xdm's architecture unfortunately does not lend itself to proper
pamification. For Red Hat Linux 6.1, I'm happy to report that it
looks like we'll be using gdm 2.0, which is the first *dm to do
proper PAM authentication, to the best of my knowledge. If there
are bugs in that support, we certainly want to know about it.
I'm going to mark this as "fixed in the next release"; if gdm 2
as I expect ships in 6.1 does not work for you with that module,
please re-open this bug report with details.
If you have reports of other programs not working with the
kerberos PAM modules you are using, please open seperate bug
reports against each of those programs so that we will not
miss some of them.
Please note that some programs are constrained by protocol
(such as IMAP) and so cannot be made to take full advantage
of PAM's flexibility. Sorry, but our hands are tied in those
I'm the person who maintains the (modified Red Hat) Linux distribution
for CMU ECE.
Kerberos is actually the least of the problems with PAM --- and xdm is
not the only program which has problems.
Kerberos-related PAM issues easily worked around by adding a chown()
in the appropriate PAM module after acquiring tickets and storing them
in the ticket cache. The real problem is that the Kerberos tickets
are then used to acquire AFS tokens (modified Kerberos service
tickets), which are stuffed into a kernel-side cache called a PAG so
the AFS client filesystem code can authenticate to the AFS servers.
The difficulty is that when many programs invoke the PAM session
stack, they are running in the server's context; while for Kerberos
this means that files created by the PAM module have the wrong owner,
for AFS it means that multiple connections will share the same PAG and
therefore the same AFS permissions.
I should note that this is also not limited to Red Hat's products:
xscreensaver does some things wrong when AFS PAM modules are involved,
and Sun's CDE has to be patched to work with AFS PAM modules. It
seems to be a general problem with knowing when to invoke PAM module
This issue caused several departments at CMU to avoid Red Hat 6.0.